Android data theft exploit to be plugged in Gingerbread [Video]

Google’s Android security team are working on a fix for a browser exploit that can give websites unofficial access to files stored on an Android device’s memory card. Set to be addressed in the imminent Android 2.3 Gingerbread release, the exploit was identified by Thomas Cannon who found that, thanks to a combination of automatic file downloads, JavaScript and microSD access policies, by clicking on certain HTML (either in the browser or in an email) users could accidentally give access to private data.

There are some limitations to the exploit, mainly that the third-party must know the names of the files they wish to steal. However, since many devices follow standardized naming patterns for files like photos and videos, that may not be too great a reach after a little research. Cannon describes the process as follows:

The Android browser doesn’t prompt the user when downloading a file, for example “payload.html”, it automatically downloads to /sdcard/download/payload.html

It is possible, using JavaScript, to get this payload to automatically open, causing the browser to render the local file.

When opening an HTML file within this local context, the Android browser will run JavaScript without prompting the user.

While in this local context, the JavaScript is able to read the contents of files (and other data).

The flaw has been independently verified by Heise Security, and right now the best advice is to be wary of suspicious looking websites, HTML links in emails from users you don’t know, or unexpected downloads suddenly popping up in the Android notification bar. Given Android 2.3 Gingerbread won’t be available to all devices after it launches, users still need to be careful until their phone is updated.